It's certainly an interesting idea. Can you think of benefits of using this approach over a password manager? I guess capturing the database wouldn't be enough, as you'd then have to either brute-force with your new dictionary, or keylog the entry for a site?
– Xiong ChiamiovDec 1 '16 at 2:36

1

Isn't the script still sending the keys to be logged? In any case, some password managers have similar features, you are probably better off using one of them.
– Alexander O'MaraDec 1 '16 at 3:06

I'm completely sold on password managers. But, call it security-by-novelty, sometimes it pays to be different, as the password manager breaches start to trickle in. As for keyloggers, true, the gains are less certain-- but then again, isn't malware = game over ?
– JediDec 1 '16 at 4:45

True, but this could be mitigated by having a shortcut key replacement for all 101 * 2 (shift key) keys and you could use a different sequence of (say) 8 for each website. You're less likely to be caught n a broad attack, as no one's looking....
– JediDec 5 '16 at 9:44

A reasonable point though I think that it depends on where an attacker is monitoring the dialog. Personally, I'd say the risks are a lot lower when using a hardened, proven, tested tool. This is one of the tenets of security - don't roll your own.
– Julian KnightDec 5 '16 at 13:28

Does this method buy me any increase in password security? Is it a good idea to try?

Using AutoHotKey buys you a small bit of security through obscurity, because if an attacker gets access to your computer, an .ahk file is probably not on the list of "credential-holding files" that common exploit toolkits will look for.

Still, storing unencrypted passwords in a .ahk file is notably LESS secure than using an encrypted password manager. I wouldn't consider it a good idea to use AutoHotKey for security.

The key substitution merely adds a layer of obfuscation on the underlying security, and this obfuscation buys longer, more complex passwords that don't have a memorization problem. I'm not sure why hashing the password helps, and how using AHK for this is more secure than my approach.
– JediDec 6 '16 at 19:22

AHK = AutoHotKey (Hint: look at the file extension in your question). Hashing serves the same purpose as "obfuscation" but does it in a much more secure way: there's no way for a spear-phishing hacker to learn your dictionary from a few compromised sites.
– billc.cnDec 6 '16 at 22:21